Written by Paul Eccleson on Friday July 23, 2021
In this blog I’ll be taking a look at how and why the role profile of a governance, risk and compliance (GRC) professional is a challenging one. The mix of risk management, business strategy understanding, regulatory analysis and interpersonal influence required is daunting. If that wasn’t a big enough ask, I’d add another essential requirement: being alert to, and overcoming, basic human tendencies in oneself that will get in the way of ‘doing the right thing’. An effective GRC practitioner must face problems rather than avoid them, hold to principles when it is easier to dodge them and challenge commonly accepted beliefs when needed. What psychological research tells us is that these qualities do not come naturally to us as humans.
We are, by nature, social beings, and our desire to identify with groups and to ‘fit in’ is incredibly strong. In a classic experiment, a group of 10 people was asked to choose a drawn line from a set of options that were the same length as an example line they had been shown. Nine of the group were ‘plants’ who had all been instructed to choose the same, but obviously incorrect, line. The subject was then asked to make their choice. The majority of subjects went with the (clearly erroneous) consensus. Such conformity is enhanced when the ‘correct’ choice is less clear, by strong association with a group and when encouraged to act in a particular way by authority. In short, when all pulling towards the same, vaguely defined, goal and with authority figures leading the way, following erroneous pathways is much more likely. This is exactly what we have – and is desired – in most organisations.
To make matters worse, when faced with a challenging situation that requires intervention, most people will choose not to get involved. This is especially true when there are a lot of people witnessing the problem. Such diffusion of responsibility makes it more likely that no action will be taken at all, by anyone. There are several barriers to intervention at play here. If non-compliance is accepted as just the ‘way we do things’, colleagues may be completely blind to the issue in the first place. The same non-compliant culture may also make people feel that there is no point in escalating issues – the organisation will not doing anything about it anyway. A mixture of poor culture and feelings of personal impotence will undermine any policies or expectations the GRC function might set.
Sealing the deal for non-compliant behaviour is the human ability to morally disengage from our actions (or lack of action). I have focused in other articles for members of the ICA on the mechanisms people use to become comfortable with morally uncomfortable aspects of their own behaviour. We are masters of telling ourselves stories that reduce internal discomfort and allow us to sleep at night.
With this analysis, I am not concluding that humans are inherently ‘bad’ or ‘morally weak’. These natural tendencies can be used to enhance rather than compromise compliance. My intent is to illustrate the challenge that GRC professionals face in dealing with organisations and the internal challenges faced in containing their own natural tendencies.
Here are just a few personal words of encouragement based on what the psychological literature has to say about our GRC roles.
The strength of character needed to overcome these natural human instincts makes me immensely proud of GRC professionals. We carry out responsibilities that are fundamentally just: championing AML controls because money laundering fuels hideous crimes in our society or bringing the ‘voice of the customer’ into conversations where the ‘voice of profit’ has been dominant. At its core, GRC is a human challenge. Understanding the behavioural drivers of both ourselves and others is a fundamental requirement of what we do.
I offer the following clarion call: Be brilliant. Be human. Be proud.
 The ICA provides a helpful infographic here: https://www.int-comp.org/insight/2019/february/infographic-skills-and-attributes-of-a-compliance-officer/
This is the last article in Paul Eccleson's blog series entitled ‘The psychology of compliance’ for ICA.
More from Paul Eccleson:
[Members only content]
‘Why, when they knew it was wrong, did they continue to break the rules?’ This is perhaps the question I’ve been most often asked in my career in risk and compliance.
At the heart of every robust and effective GRC framework is a code of conduct. The cornerstone of a firm’s culture, a code of conduct establishes the basic expectations of an organisation’s members, the duties and responsibilities which they must fulfil and the behaviours they are expected to exhibit.
90% of data breaches reported to the UK Information Commissioner’s Office (ICO) in 2019 could be attributed to ‘human error’, according to user awareness company CybSafe.
Applications utilising artificial intelligence (AI) techniques to facilitate business processes are now offering firms the opportunity to automate functions once considered the sole domain of human intellect.
Becoming an ICA member will provide you with access to a wealth of resources on the ICA Continuous Learning portal.
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.
Help and support
Alternatively contact us on: +44(0)121 362 7534 / email@example.com (Course information)
or +44(0)121 362 7533 / firstname.lastname@example.org (Enrolled learners)
or +44(0)121 362 7747 / email@example.com (Membership)
or +44 (0) 121 362 7503 / firstname.lastname@example.org (End Point Assessment)